Breaking News: Venus Protocol’s Token Donated to the Moon, Leaving $2.15M in Debt. What Could Possibly Go Wrong?
Key Highlights
- After a $3.7 million attack on Venus Protocol by manipulating the price of Thena’s THE token, the protocol was left with roughly $2.15 million in bad debt. (Spoiler: It was a bad idea.)
- In June 2025, the attacker accumulated THE tokens using 7,400 ETH withdrawn from Tornado Cash, eventually controlling 84% of Venus’s THE supply cap. Because nothing says “I’m a hacker” like using a privacy coin to buy more privacy.
- PeckShield flagged that Justin Sun (a top-5 XVS holder) deposited 621,071 XVS ($1.95 million) to HTX. Because when in doubt, just move your money to a different exchange. No one suspects a guy with a $1.95M stake in a protocol that just got hacked.
Venus Protocol, the largest decentralized lending platform on BNB Chain with approximately $1.47 billion in total value locked, was hit by a sophisticated price manipulation attack on March 15, 2026, targeting the THE token-the native token of DeFi protocol Thena. Because who needs rules when you can just donate your way to success?
The preparation began nine months before execution. Starting in June 2025, the attacker used a wallet funded with 7,400 ETH withdrawn from Tornado Cash to quietly accumulate approximately 12.2 million THE tokens-84% of Venus’s 14.5 million THE supply cap. By the time the attack launched, the position was already dominant. Like a bad date, but with more crypto.
How the Supply Cap Was Broken
The critical innovation was the bypass method. To scale the attack beyond Venus’s supply cap on THE, the attacker used a donation attack, directly transferring THE tokens to the vTHE contract rather than depositing through normal minting. This inflated the exchange rate recognized by the protocol, effectively bypassing the cap. Because who needs rules when you can just donate your way to success?
By donating 36.1 million THE directly to the vTHE contract, the attacker inflated the exchange rate by 3.81x. This allowed the protocol to recognize far more collateral than should have been possible under its own rules. At the peak, the attacker held 53.2 million THE in Venus-367% of the allowed supply cap. Because who needs rules when you can just donate your way to success?
With the artificially inflated collateral, the attacker borrowed 6.67 million CAKE tokens, 1.58 million USDC, 2,801 BNB, and 20 Bitcoin, totaling over $3.7 million in extracted value. Because who needs rules when you can just donate your way to success?
THE’s price surged from approximately $0.27 to a peak of $0.56 before collapsing to around $0.22 as liquidations cascaded through the protocol. The collapse left Venus holding approximately $2.15 million in unrecoverable bad debt, consisting of roughly 1.18 million CAKE and 1.84 million THE tokens. Because who needs rules when you can just donate your way to success?
A Vulnerability Flagged, Then Dismissed
The donation attack vector is not new. It is a documented weakness in Compound-forked lending protocols, where direct token transfers to interest-bearing markets can distort the internal accounting that governs collateral valuation and supply cap enforcement. Because who needs rules when you can just donate your way to success?
The donation attack vector used in Sunday’s exploit is a known vulnerability in Compound-forked lending protocols and had been discussed in Venus’s own Code4rena security audit, but the team disputed the finding at the time, arguing that donations were supported behavior with no negative side effects. Because who needs rules when you can just donate your way to success?
That assessment has now been disproven twice. In February 2025, a nearly identical donation attack on Venus’s ZKSync deployment caused over $700,000 in bad debt. The March 2026 exploit escalated the same mechanics to a multi-million-dollar scale. Because who needs rules when you can just donate your way to success?
Large Holder Movements
PeckShield’s post-attack analysis flagged notable activity from major XVS holders. Justin Sun, the founder of Tron and a top-5 holder of Venus’s governance token XVS, deposited 621,071 XVS (valued at approximately $1.95 million) to HTX (formerly Huobi) on March 16, 2026-just one day after the exploit. The transaction, confirmed on-chain at block 86867468 on BNB Chain, has prompted speculation about whether the move was precautionary or opportunistic, though no direct connection to the exploit has been established. Because who needs rules when you can just donate your way to success?
Separately, PeckShield noted that the BNB Bridge Exploiter-an address linked to the October 2022 BNB Chain bridge hack-remains a top-16 XVS holder with approximately 135,000 XVS (~$421,000). The continued presence of exploit-linked wallets among a protocol’s governance token holders underscores the unresolved legacy risks in DeFi governance structures. Because who needs rules when you can just donate your way to success?
Venus Protocol’s Troubled Security History
This is far from Venus’s first major loss. The protocol has now accumulated over $112 million in cumulative losses across five separate incidents since 2021. It’s like a horror movie where the protagonist keeps getting stabbed, but the studio says, “We’re just getting started!”
In 2021, price manipulation of Venus’s own XVS governance token left the protocol with over $95 million in bad debt. In 2022, the Terra/LUNA collapse added $14 million in uncollateralized exposure. Later that year, the BNB Chain bridge hack saw stolen BNB used to borrow $150 million in stablecoins through Venus. In September 2025, a $27 million phishing attack targeting a Venus user forced emergency operations and a governance vote, though the protocol ultimately recovered $13 million. Because who needs rules when you can just donate your way to success?
Venus’s Response
Venus Protocol confirmed the unusual activity and immediately paused all THE borrowing and withdrawals. Additional markets-including BCH, LTC, UNI, AAVE, FIL, and TWT-were also paused as a precaution. Thena confirmed its own smart contracts were unaffected. Because who needs rules when you can just donate your way to success?
Allez Labs, Venus’s risk manager, is preparing a full post-mortem review of oracle protections and supply cap enforcement. The incident has renewed calls from security researchers for Compound-forked protocols to implement stricter controls around collateral onboarding, donation-style transfers, and low-liquidity asset listings. Because who needs rules when you can just donate your way to success?
For DeFi users, the lesson is blunt: a vulnerability identified in a security audit and left unpatched is not a theoretical risk-it is a countdown. Because who needs rules when you can just donate your way to success?
Read More
- Brent Oil Forecast
- Gold Rate Forecast
- Bitcoin at Halfway Through Halving: Gains Lag Behind Previous Cycles
- Silver Rate Forecast
- ADA PREDICTION. ADA cryptocurrency
- USD CLP PREDICTION
- USD MYR PREDICTION
- I gave up gin for this coin and made £12.42-learn the secret (you won’t believe emoji #3) 😱✨💰
- USD TRY PREDICTION
- DOGE PREDICTION. DOGE cryptocurrency
2026-03-19 13:25